Network access control systems, such as NETWORK ACCESS PROTECTION™ supplied by Microsoft Corporation of Redmond, Wash., USA, are used in enterprise networks in which network access policies may be prescribed by a network administrator. Such systems include agents on network clients that collect “health” information about the clients. This health information is provided to a health validation server that can compare the health of the client to a network access policy and determine whether the client computer is healthy enough to be given network access.
“Health” information indicates whether the client computer is configured with protective software or hardware that adequately reduces the risk that the client computer will spread viruses on the network or otherwise create a security risk. For example, health information may indicate whether the client computer has antivirus software or the most recent updates to virus definition files for that software that has been installed. As other examples, the health information may include an indication of whether software patches that remedy security vulnerabilities have been installed or an indication of the type or operational status of a firewall or anti-spyware software in use by the client computer.
This health information is provided to a health validation server that can compare the health of the client to a network access policy and determine whether the client computer should be given network access.
Because enterprise networks include access control mechanisms, if access is denied for health reasons, that denial can be enforced by the access control mechanism. When access is denied, the client computer may be precluded from accessing the network entirely. Though, in other settings, when a client computer does not have a health that qualifies it for network access according to an access policy specified by the network administrator, the client computer may be “quarantined.” When quarantined, the client computer is allowed limited network access so that it can download software or patches and “remediate” itself to be in compliance with any network access control policies.